Embed Size (px)
Citation preview
Hash Functions
Nathanael Paul
Oct. 9, 2002
Hash Functions: Introduction
• Cryptographic hash functions– Input – any length– Output – fixed length– H(x) – easy– H(x) – one way
• “hard to invert”
– H(x) collision free
Purposes for hash functions
• Data Integrity– Ex: Tripwire– Message digest
• y = h(x). y is called the message digest.
• 160 bits in size – “birthday attack”
• Message Source
• Digital Signatures
• Message Authentication Codes (MAC)
Digital Signatures and Message Authentication Code (MAC) overview
• Suppose Alice and Bob share a secret key k which determines hash function hk
• Alice sends (x, y) to Bob where y = hk(x)
• Bob receives (x,y) and verifies with y = hk(x). If condition holds, neither x nor y was modified in transit.
Hash Family
• (X,Y,K,H)– For each k in K, there exists an h in H, such that
hk(x) y
• Assume |X| >= |Y| (even better, 2|X| >= |Y|)
• Unkeyed hash function– |K| = 1– Ex. SHA-1 (successor of MD4)
Conditions of a secure hash function
• Preimage– Find x such that h(x) = y, given y and the function f().
– one-way
• Second Preimage– Find x’ != x, such that h(x) = h(x’), given x and the
function h().
– weak collision resistance
• Collision– Find h(x) = h(x’) such that x != x’, given function h()
– strong collision resistance
Iterated hash function overview
• compression function– Given input of length m, produce output of
length n – inputs to compression function:
• message block, mi
• output of previous blocks of text
• hi = f(mi, hi-1)
• MD-strengthening (Merkle-Damgard)– pre-image contains length of entire message– initialization vector (padding function)
Modes of operation
• Modes of operation– ECB, CBC, CFB, OFB– different characteristics:
• error propagation
• efficiency
• increase in data size
– NIST document on modes of operation• http://csrc.nist.gov/encryption/tkmodes.html
– Next slide shows CBC mode of operation...
Message Authentication Codes
• Oscar’s (adversary) goal:– produce a pair (x,y) that is valid, but the key k
is not known
• Oscar knows– valid pairs
Pairs = {(x1,y1),(x2,y2),...,(xq,yq)}
• forgery– Oscar outputs an (x,y) where x is not in Pairs
Review of types of attacks
• Ciphertext-only– Oscar possesses a string of ciphertext, y
• Known plaintext– has ciphertext, y, corresponding to a message, x
• Chosen plaintext– access to encryption. choose x, get y
• Chosen ciphertext– choose y, get x
Ways of creating a MAC
• Base MAC on block cipher– block cipher already implemented, so part of
implementation is done
• MAC from an unkeyed hash– just add a key to output of unkeyed hash– requires careful analysis
• Create a customized MAC
CBC MAC
• use block cipher in CBC mode with fixed IV
• best general attack is birthday attack
Nested MACs
• Nested MAC– composition of 2 keyed hash families
• G o H = {g o h : g is in G, h is in H} where (g o h)
(k,l)(x) = hl(gk(x))
– Secure if the following holds (given unknown key):
• G is collision-resistant
• H is secure as a MAC
Types of attacks on nested MACs
• forger for nested MAC
• forger for the little MAC– attack on component MAC H
• unknown-key collision attack
Attack 1: Forger on nested MAC
• pair of keys (k,l) are kept secret
• Oscar:– chooses an x– oracle – “magic box”
– given x, oracle computes z = hl(gk(x))
– tries to find (x’, z) where x’ was not any x given to oracle
Attack 2: Forger on smaller MAC component of nested MAC (H family)
• key l is chosen and kept secret (l is in keyspace of H family of hashes)
• Oscar:– chooses y
– given y, oracle computes z = hl(y)
– tries to output (y’,z) where y’ was not in one of its previous queries to oracle
Attack 3: Collision Finder for a hash family
• key k in K is kept secret
• Oscar:– chooses an x
– given x, oracle computes gk(x)
– tries to find x’ and x’’ where x’ != x’’ and gk(x’) = gk(x’’)
HMAC
• nested MAC algorithm (proposed standard)– based on SHA-1– uses 512-bit key k– 2 512-bit constants, ipad and opad
• 160-bit MAC– HMACk(x) = SHA-1((k opad) || SHA-1((K
ipad) || x))• ipad component resistant against unknown-key
collision attack
Further Reading
• Applied Cryptography, Bruce Schneier
• Cryptography: Theory and Practice, Douglas Stinson
• Handbook of Applied Cryptography, Alfred Menezes, et. al.– available for download at:– http://www.cacr.math.uwaterloo.ca/hac/
